{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28277", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-26T01:52:58.734Z", "datePublished": "2026-03-05T19:10:36.865Z", "dateUpdated": "2026-03-06T18:04:29.687Z"}, "containers": {"cna": {"title": "LangGraph: Unsafe msgpack deserialization in LangGraph checkpoint loading", "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "lang": "en", "description": "CWE-502: Deserialization of Untrusted Data", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/langchain-ai/langgraph/security/advisories/GHSA-g48c-2wqr-h844", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/langchain-ai/langgraph/security/advisories/GHSA-g48c-2wqr-h844"}], "affected": [{"vendor": "langchain-ai", "product": "langgraph", "versions": [{"version": "<= 1.0.9", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-05T19:10:36.865Z"}, "descriptions": [{"lang": "en", "value": "LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). In version 1.0.9 and prior, LangGraph checkpointers can load msgpack-encoded checkpoints that reconstruct Python objects during deserialization. If an attacker can modify checkpoint data in the backing store (for example, after a database compromise or other privileged write access to the persistence layer), they can potentially supply a crafted payload that triggers unsafe object reconstruction when the checkpoint is loaded. No known patch is public."}], "source": {"advisory": "GHSA-g48c-2wqr-h844", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T18:04:22.963963Z", "id": "CVE-2026-28277", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T18:04:29.687Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28277", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-06T18:04:22.963963Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T18:04:26.192Z"}}], "cna": {"title": "LangGraph: Unsafe msgpack deserialization in LangGraph checkpoint loading", "source": {"advisory": "GHSA-g48c-2wqr-h844", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "langchain-ai", "product": "langgraph", "versions": [{"status": "affected", "version": "<= 1.0.9"}]}], "references": [{"url": "https://github.com/langchain-ai/langgraph/security/advisories/GHSA-g48c-2wqr-h844", "name": "https://github.com/langchain-ai/langgraph/security/advisories/GHSA-g48c-2wqr-h844", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). In version 1.0.9 and prior, LangGraph checkpointers can load msgpack-encoded checkpoints that reconstruct Python objects during deserialization. If an attacker can modify checkpoint data in the backing store (for example, after a database compromise or other privileged write access to the persistence layer), they can potentially supply a crafted payload that triggers unsafe object reconstruction when the checkpoint is loaded. No known patch is public."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502: Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-05T19:10:36.865Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28277", "state": "PUBLISHED", "dateUpdated": "2026-03-06T18:04:29.687Z", "dateReserved": "2026-02-26T01:52:58.734Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-05T19:10:36.865Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:langchain:langgraph:*:*:*:*:*:*:*:*", "matchCriteriaId": "03EAA519-9C97-43CB-814B-DDDA61441C87", "versionEndIncluding": "1.0.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). In version 1.0.9 and prior, LangGraph checkpointers can load msgpack-encoded checkpoints that reconstruct Python objects during deserialization. If an attacker can modify checkpoint data in the backing store (for example, after a database compromise or other privileged write access to the persistence layer), they can potentially supply a crafted payload that triggers unsafe object reconstruction when the checkpoint is loaded. No known patch is public."}, {"lang": "es", "value": "LangGraph SQLite Checkpoint es una implementaci\u00f3n de LangGraph CheckpointSaver que utiliza una base de datos SQLite (tanto s\u00edncrona como as\u00edncrona, a trav\u00e9s de aiosqlite). En la versi\u00f3n 1.0.9 y anteriores, los checkpointers de LangGraph pueden cargar checkpoints codificados en msgpack que reconstruyen objetos Python durante la deserializaci\u00f3n. Si un atacante puede modificar los datos del checkpoint en el almac\u00e9n de respaldo (por ejemplo, despu\u00e9s de un compromiso de la base de datos u otro acceso de escritura privilegiado a la capa de persistencia), pueden suministrar potencialmente una carga \u00fatil manipulada que desencadene una reconstrucci\u00f3n insegura de objetos cuando se carga el checkpoint. No se conoce ning\u00fan parche p\u00fablico."}], "id": "CVE-2026-28277", "lastModified": "2026-04-21T15:14:55.870", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-05T20:16:15.677", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Mitigation"], "url": "https://github.com/langchain-ai/langgraph/security/advisories/GHSA-g48c-2wqr-h844"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.9]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "langgraph", "vendor": "langchain-ai"}], "analysis": {"en": {"generated_at": "2026-04-16T12:13:30.764070+00:00", "value": {"mitigation_remediation": ["Restrict file system permissions on the SQLite checkpoint database so that only trusted processes and privileged users have write access.", "Enable monitoring and auditing of the checkpoint database to detect any unauthorized modifications promptly.", "Apply an official LangGraph patch or upgrade to a newer version as soon as an update becomes available."], "summary": {"action": "Assess Impact", "impact": "Remote code execution"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in LangChain AI\u2019s LangGraph package version 1.0.9 and earlier. The affected component is the SQLite\u2011based checkpoint loader used by LangGraph, which stores checkpoints in a local SQLite database. Any deployment that relies on these older LangGraph versions and allows the checkpoint database to be written to by untrusted parties is exposed.", "description_and_impact": "LangGraph load operations deserialize checkpoint data that is encoded with msgpack, automatically reconstructing Python objects during the process. This uncontrolled deserialization is a classic instance of unsafe object reconstruction, listed under CWE\u2011502. Because a crafted payload can influence the reconstruction logic, an attacker who can supply malicious data during checkpoint loading may be able to execute arbitrary code or otherwise compromise the running process.", "risk_and_exploitability": "The CVSS score of 6.8 indicates moderate severity, but the EPSS score of less than 1% suggests that actual exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog, so no public exploits have been reported yet. Nevertheless, the attack requires the ability to alter the checkpoint database\u2014either through a database compromise or privileged write access. If an adversary succeeds in modifying the stored checkpoint, they can inject a payload that triggers unsafe deserialization, potentially leading to remote code execution."}}}}, "created": "2026-03-06T15:01:17.535275+00:00", "updated": "2026-04-16T12:15:35.095522+00:00", "vendors": ["langchain-ai", "langchain-ai$PRODUCT$langgraph"]}